The law requires it, but customers demand it: cyber security and privacy are good business

April 2016 | EXPERT BRIEFING | RISK MANAGEMENT

financierworldwide.com

The customer paradigm for financial services firms through the beginning of this century was: “How’s my money doing?” But now, in a development never remotely contemplated by business schools, investors large and small have an equivalent concern: “Is my money, and information about me and my money, safe?” In the wake of the cyber attacks that appear to take place every week, cyber security is a business concern, and no one is too small or too big to be immune. Investors and customers have walked, and will continue to walk, if not run, from companies that have had significant breaches – take Target for instance, whose annual revenue dropped approximately 40 percent in the year following its massive data breach. Conversely, good stewardship of information, as well as funds, can serve to attract business.

Cyber security laws and regulations, and the potential cost exposures and liabilities from breaches and cyber attacks that stem from failures to meet the information safeguard requirements in those provisions, will be summarised below. These threats are growing as governmental agencies in the US fill the vacuum left by an absence of national legislative action. In addition, some agencies, like the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) have found that information security is a means to regain lustre perhaps lost by infrequent enforcement in the run up to the Great Recession. It is not unusual to attend a cyber security conference and hear a panellist from the FTC proudly proclaim that, when it comes to information safeguards, the FTC is ‘the new cop on the beat’. However, c-suite personnel, and boards, have been known to ‘whistle past the graveyard’ when it comes to risks of regulatory proceedings and litigation. This insouciance can take many forms – the CFO demanding that the CIO quantify the risk of subscriber funds or data loss from a breach or cyber attack before authorising money for security upgrades, the CEO confidently stating that her systems are sound, whether or not they have been tested recently (or at all), the IT department stating that it has no time for security research because, as the Red Queen said in Alice in Wonderland, “It’s all the running we can do to (just) remain in one place!”

The legal liability and business risks are real, and growing. We live in an era of financial technology, or FinTech, in which investing, corporate banking and consumer banking are becoming increasingly internet based. Mobile payments (Apple Pay, Samsung Pay, etc.) are increasing in consumer popularity and acceptance by retail establishments. Equities transactions have been electronic for many years now, and ‘first to the block’ can depend upon bandwidth and the qualities of the transmission media. Travelling with those transactions is identifying information about those who ordered the transactions, such as account numbers. Stock purchase orders are not placed on paper any more than bank deposits are made with deposit slips comprising white, pink and yellow copies. Those days left with the floppy disk, the VHS video recorder and the Sony Walkman.

This illustrates one of the great paradigms of FinTech: as financial information has become digital, the volume of it has increased and, concomitantly, its vulnerability to loss through negligence or cyber attacks has grown exponentially. In recognition of this fact, regulators in the US and Europe have doubled down on information safeguard regulations, and enforcement of those regulations. The New York Department of Financial Services, for example, now has a cyber security compliance provision of its annual bank examinations that includes representations as to cyber security vetting of vendors and other business partners (no doubt influenced by third-party vendor access to Target’s network by its attackers). The FTC, acting under authority of its enabling act, has pursued companies that have been attacked or that have sustained breaches where the companies’ representations as to security have not been borne out by facts revealed after the breach or attack. The disconnect between these representations and the ‘facts on the ground’ may be considered by the FTC to be deceptive or unfair trade practices and the agency has commenced proceedings to recover funds lost through breaches, and seek significant monetary penalties, and has also brought litigation. Its action against Wyndham Worldwide Corporation in the wake of its loss of credit card information of thousands of hotel guests was sustained by the US Court of Appeals for the Third Circuit.

Class action litigation and derivate shareholder suits are also very real exposures following a cyber attack. The United States District Court for the Northern District of California recently ruled that Anthem, Inc. is required to defend a class action in the wake of the health insurer’s breach, following a massive cyber attack on the health information of over 90 million subscribers brought under the consumer protection laws of several states.

A United States District Court in New Jersey, in dismissing a shareholder’s suit against Wyndham Worldwide, held that the Business Judgment Rule (which holds that directors will not be liable for decisions made as a result of exercise of their business judgment in their roles as directors) would result in a dismissal of that case because, ironically, the board had taken multiple steps to investigate the breach, and had documented each of those steps. In other words, that case stands for the proposition that other directors in other cases, in order to take advantage of the Business Judgment Rule, must show that they took concrete steps to investigate, mitigate and, perhaps, remediate damage from a cyber attack.

Business, though, sells better than fear when it comes to financial services cyber security. Security experts advise that firms should not work to secure their information systems only to meet compliance standards but, rather, should use compliance standards as a metric to tighten information systems so that the firms are good caretakers of subscribers’ and investors’ information as well as their funds.

Security professionals call this initiative ‘security by design’. Rather than waiting to fix the problem after a breach, or government audit or law suit in the wake of a cyber attack, the firm should ask, “What do we need to do to take the best care of our customers’ data?” before the problem arises. It would then retain a cyber security initiative ‘captain’, usually outside counsel, to coordinate an interdisciplinary working group, which will comprise IT, outside security consultants, risk and compliance, business records (if such a group exists within the firm), and business ‘owners’ (the front-line daily users of firm data). This group maps the firm’s data (characters of data, where they are stored, where they are sent and how they are used in the firm’s business) and then makes recommendations as to how it can be best protected against threats at each point, using current financial services’ best cyber security practices.

When making recommendations to the CFO or the board, accurate metrics as to cost and benefits can be shown and more cogent selling points than fear will become apparent – customer retention and potential increases in business would arise from enhanced customer trust in how their information is handled and secured.

Kenneth N. Rashbaum is a partner at Barton LLP. He can be contacted on +1 (212) 885 8836 or by email: krashbaum@bartonesq.com.